From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1I18uh-0000rC-80 for garchives@archives.gentoo.org; Wed, 20 Jun 2007 22:44:35 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l5KMhXIv011774; Wed, 20 Jun 2007 22:43:33 GMT Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l5KMfXOs009480 for ; Wed, 20 Jun 2007 22:41:33 GMT Received: from TesterServ.TesterNet ([70.83.102.151]) by VL-MO-MR004.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0JJY00989HP995G0@VL-MO-MR004.ip.videotron.ca> for gentoo-dev@lists.gentoo.org; Wed, 20 Jun 2007 18:41:33 -0400 (EDT) Received: from uucp by TesterServ.TesterNet with local-rmail (Exim 4.63) (envelope-from ) id 1I18rk-0006al-KJ for gentoo-dev@lists.gentoo.org; Wed, 20 Jun 2007 18:41:32 -0400 Received: by TesterTop3.tester.ca (Postfix, from userid 1000) id 3BDDA4A4034; Wed, 20 Jun 2007 18:41:03 -0400 (EDT) Date: Wed, 20 Jun 2007 18:41:03 -0400 From: Olivier =?ISO-8859-1?Q?Cr=EAte?= Subject: Re: [gentoo-dev] how to handle sensitive files when generating binary packages In-reply-to: <200706201828.00854.vapier@gentoo.org> To: gentoo-dev@lists.gentoo.org Message-id: <1182379263.12859.13.camel@localhost> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-version: 1.0 X-Mailer: Evolution 2.8.3 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-VHfIKLsZYcx/2xvUKvYP" References: <200706200047.04951.vapier@gentoo.org> <200706201719.01571.vapier@gentoo.org> <1182376965.12859.7.camel@localhost> <200706201828.00854.vapier@gentoo.org> X-Archives-Salt: e9a1bb07-f139-4f73-96ce-335203180fb6 X-Archives-Hash: 1cce23088a7b9f26069ccb338aa41f0c --=-VHfIKLsZYcx/2xvUKvYP Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Wed, 2007-20-06 at 18:28 -0400, Mike Frysinger wrote: > On Wednesday 20 June 2007, Olivier Cr=C3=AAte wrote: > > On Wed, 2007-20-06 at 17:19 -0400, Mike Frysinger wrote: > > > the use of the binpkg is not an issue, it's the creation ... people > > > blindly creating tbz2's which could contain their sensitive files and > > > posting them > > > > > > i'll just go ahead with the feedback from Olivier and have quickpkg s= kip > > > CONFIG_PROTECT by default > > > > This will by default create potentially broken packages (since many jus= t > > wont work without their CONFIG_PROTECTed files). That's why I suggested > > a big fat warning and accepting that we can't protect users against > > themselves or against social engineering (aka their own stupidity). >=20 > i think this would only be an issue where quickpkg is being run=20 > non-interactively and the output not being reviewed (which i also dont th= ink=20 > is a common scenario for quickpkg) ... the new output of quickpkg will be= =20 > explicit in what it is (or isnt) doing so there wont be any issue of "dri= ve=20 > by" social engineering Well, I often use quickpkg when I want to try a new version of a package (I quickpkg the currently installed one.. and I want to keep all the config files). Then I emerge the new one, and I absolutely want to be able to restore the config files if I want to revert to an older version, either because they have been broken by the pkg_postinst or something else. I still haven't heard a good reason to change anything thats not the printing in quickpkg. > as for dubbing people who are successfully socially engineered "stupid", = i=20 > dont really think that's appropriate ... consider noobs on irc in #gentoo= who=20 > just want to help and havent learned their way around yet. are they stup= id=20 > (well they might be, but lets give them the benefit of the doubt) ? i'd=20 > liken the situation to a kid growing up ... kids arent stupid, they lack=20 > experience and calling them stupid isnt constructive I'm not calling anyone stupid... but I'm talking of our inner stupidity (which we all have)... --=20 Olivier Cr=C3=AAte tester@gentoo.org Gentoo Developer --=-VHfIKLsZYcx/2xvUKvYP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQBGeaz/HTiOWk7ZorsRAgZkAJ4zjFPnTS/24ilQJXYeKU3HSGIK5QCeMm7y XqpEPpLYhWWVUviYdTXMFvk= =CMgh -----END PGP SIGNATURE----- --=-VHfIKLsZYcx/2xvUKvYP-- -- gentoo-dev@gentoo.org mailing list